I have this configured in my Azure Active Directory App Registrations. After the successful signin-oidc the response has id_token in the formdata, but I'm also looking for the access_token as it is checked in my configuration.
You may not set the token response when executing the login request, try to set the response_type to id_token+token, you will get id_token and access token.
Execute the request in the browser:
GET https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2axxxxx/oauth2/v2.0/authorize?
client_id=305c9958-8f6f-4bcf-a4ec-06cb4faxxxxx
&response_type=id_token+token
&redirect_uri=https://jwt.ms
&response_mode=fragment
&scope=openid+profile+email
&state=12345
&nonce=678910
Please see: Get an access token
Related
I want to get access token with the help of refresh token that I got previously.
I got tokens using scope: user.read offline_access openid in oauth2 endpoint:
https://login.microsoftonline.com/tenant.com/v2.0/token
After a couple of hours, access token expired. Now I am trying to get this using refresh token.
But I'm unsuccessful in it, any help is much needed.
I tried to reproduce the same in my environment and got below results:
I created one Azure AD application and added API permissions as below:
With below parameters, I got the tokens via Postman:
POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
client_id:appID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
client_secret:client_secret
code:code
redirect_uri:https://jwt.ms
Response:
In order to get access token using above refresh token, change grant type to refresh_token.
I got the access token successfully using refresh token with parameters like below:
POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that you got above
client_secret:client_secret //Mandatory if client is web app
Response:
In my java web application I want to get access to user's mailbox by using jakarta mail. For that purpose I followed https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth for OAuth2 authorization code flow.
On Azure port I setup my app and added API permissions as below
Now user is redirecting to below authorize endpoint:
https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/authorize?client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f&response_type=code&redirect_uri=http://localhost:8080/callback/microsoft&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Fgraph.microsoft.com%2FSMTP.Send
After entering credentials and accepting the consent redirect_uri gets hit with auth code. Based on that auth code I formed token endpoint URL and hitting it from server, the token endpoint is as follow:
URL: https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/token
Form Data:
client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f
scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All
redirect_uri=http://localhost:8080/callback/microsoft
grant_type=authorization_code
client_secret=QUs8Q~aboLBiopTezMTKwzQjIwWsFFXjc2kCRaRs (I know I have shared the secret)
code={code received from authorize end point}
Response to this post request comes as:
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'b6067ad9-7195-430b-a35d-97b7aa7beb8f' named 'Email Connector'. Send an interactive authorization request for this user and resource.\r\nTrace ID: dc008ced-e23f-4919-bd45-b7ae7c68b000\r\nCorrelation ID: 9b6ede03-3c05-4a78-8975-036a3cb20773\r\nTimestamp: 2022-06-07 19:51:30Z","error_codes":[65001],"timestamp":"2022-06-07 19:51:30Z","trace_id":"dc008ced-e23f-4919-bd45-b7ae7c68b000","correlation_id":"9b6ede03-3c05-4a78-8975-036a3cb20773","suberror":"consent_required"}
Here, I don't understand why the error is saying The user or administrator has not consented to use the application, user has accepted the consent after entering credentials on authorize end point. Event more If we look at the screenshot above admin has already given grant to access the directory.
I tried to reproduce the same scenario in my environment and got the same error as below:
To resolve the error, please check the authorize endpoint you are using to get the code.
Avoid using Microsoft graph API scopes while getting the code.
Replace it with the scope you are using to get access token like below:
https://login.microsoftonline.com/Your_TenantID/oauth2/v2.0/authorize?
client_id=Your_ClientID
&response_type=code
&redirect_uri=http://localhost:8080/callback/microsoft
&response_mode=query
&scope= offline_access https://outlook.office.com/IMAP.AccessAsUser.All
&state=12345
Get the code from the above authorization endpoint.
I got the access token successfully after modifying the endpoint like below:
To validate the access token decode it in jwt.io and check the aud and scp claims like below:
From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.
This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}
Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)
Below data is sent to fetch new access token
client_id (related to azure app)
client_secret (related to azure app)
grant_type = 'refresh_token'
refresh_token
Edit 1: Update token endpoint to v2.0
Request URI
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body
client_id=<client-id> &scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... &grant_type=refresh_token &client_secret=<client-secret>
Reponse Body
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
Your authority is old and you missed the scope in the request body(if use the v2.0 endpoint), if you want to get a new access token for O365 with the refresh token, use the sample request below.
Request url:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request body:
client_id=<client-id>
&scope=https://outlook.office365.com/.default
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=<client-secret>
For more details, refer to the doc - Refresh the access token.
Update:
I test it for you, it works on my side. Make sure you also get the refresh token with the v2.0 endpoint, see here.
The permissions for my app:
Test to get a new access token in the postman after getting the refresh token.
I use Postman to test my API hosted in Azure. First I get an Access Token like this
Since I use the grant_type ´client_credentialsI have to use the default scope like this api://my-app-id/.default` as explained here.
But one of the endpoint of my API requires a specific scope, so the call fails because my access token does not contain this scope.
How am I supposed to test from Postman with the required scope ?
If you use Client Credential Flow to obtain an access token for an api protected by Azure, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).
Then you need to define the application permissions by editing the list of api applications.here is an example.
Next, grant application permissions to the application:
Refer to this document and use Client Credential flow to get access token here:
1.First you need to get the administrator's consent:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
2.Then you can get the access token by sharing the secret:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=api://your-app-id/.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Parse the token and you will see your custom roles:
Try using the token to access your API.
Update:
According to your mistakes, there is user interaction, so if you want to use a user token, you should not use Client Credential Flow but auth code flow, and grant client application Delegated permissions.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7xxx/Files.Upload
&state=12345
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=api://11f5aca5-ba22-4b7b-8312-60a09aab7df5/Files.Upload
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh
Parse the token and you will see your custom scp:
I have some troubles trying to call an Azure Function (code) with Postman.
I have already set up the Authentication / Authorization and settings.
It's working with my browser (with login page).
But when I try to use Postman, I'm getting 401 :
"You do not have permission to view this directory or page."
I also tried to use the Postman built-in (see configuration) Oauth2 to login. I can successfully get the tokens (access and refresh). But it seems that my API request to functions are not working...
Here is the final API Call: postman screenshot
The aad tenant_id starts with 8d6, the application client_id starts with 226, and the app secret ends with Av2.
Is there anything wrong ... ? It looks like actually, Azure Functions handle only Cookies for the authentication, that's why it's working with the browser and not Postman. How can I make it works with the header Authorization / Bearer ?
Thanks for your help !
The way you got the access token is not correct. Just like #Marc said, in your Postman you are not specifying a resource or scope. The postman get new access token tool only has the scope parameter, so you should use the v2.0 endpoint to get the access token.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Scope:
{clientId}/.default